NAS Security Guide: How to Secure Your Network-Attached Storage

By James Crace— Last Updated: 07 Jul'172017-06-14T05:32:21+00:00

Network-attached storage, or NAS, is a cheap and efficient way to expand your storage at home or in the office. Today we’ll look at the steps you can take to keep your NAS secured and your data safe. You don’t need to be an experienced sysadmin to follow along: anyone can learn how to secure their NAS by taking these steps and keeping a few security principles in mind.

A NAS makes a great file server and local backup solution. They’re fairly cheap off-the-shelf, and if you’re feeling adventurous you can always roll your own. We’ve written a practical guide explaining what is a NAS in case you’re unfamiliar.

The process of securing your NAS varies depending on which device you own. At Cloudwards.net, we’re big fans of the QNAP and Synology devices. They’re affordably priced while offering all the features users need, like integrated cloud backups. We’ve covered the best cloud backup for Synology and we have a general roundup of the best cloud backup for NAS devices this year.

Basic Security Principles

The first line of security is your home network. In 2014, security researcher Jacob Holcomb audited NAS devices from 10 manufacturers, finding vulnerabilities in all of them.

That’s the bad news. The good news is that to carry out these attacks, cybercriminals have to have direct access to your network. Securing your router and your home network will greatly reduce the risk of your NAS device being compromised. You can further reduce the risk of a hack by following these basic security principles:

Always change default passwords

Do not click suspicious links in emails or elsewhere, especially if they redirect to your local network (http://192.168.x.x for example)

Use random, alphanumeric passwords for both your router and NAS logins

Regularly update the firmware on your router or NAS. Turn on automatic updates if supported

Following these simple security principles will go a long ways towards keeping you safe online. Stopping any would-be attackers at the router level is the first step to securing your NAS device, and we’ll take a quick look at securing your router next.

Secure Your Router

Now, it’s hard to give step-by-step instructions since there are so many different routers, so this is just a general overview to get you started. Your router manufacturer should have a section on their website with instructions and details for your particular device.

You can login to your router by typing its IP address in the address bar. Usually this is http://192.168.1.1 or similar, but a quick search for your router model should pull up the information you need: the IP, default username and password.

Step 1. Login to your router and change the default password. If you have the option to change the username from “admin,” do so as well. Attackers use automated tools to scan networks, so changing “admin” to something else makes these attacks useless.

Step 2. Disable WPS if your router has this feature. Don’t ever use WPS as it is terribly insecure.

Step 7. Enable logging so that in the event something happens, you have a record to track the problem down.

That’s it for router security basics. Now that you’ve locked your network down, let’s take a look at how to secure your NAS device.

Basic NAS Security Guidelines

With all the different models of NAS devices, it’s impossible to give a one size fits all guide to securing your NAS. Instead, focus on learning these principles and the reasoning behind them. Once you learn what to look for and why, you can find specific instructions for your NAS from the manufacturer’s website.

Admin Accounts and Passwords

Always change the default password for the administrator account. If possible, create a new administrator account with a different name and delete the default “admin” account, as brute-force attacks only work by repeatedly trying to guess the password for this account.

Enable SSL

When you access your NAS via the web interface, you should see “https://” at the beginning of your address bar along with a padlock, indicating your connection is encrypted. If this isn’t enabled by default, turn it on. Otherwise, your credentials are transmitted in the open and available to potential attackers.

Only Enable What’s Necessary

Your NAS can run various web apps that will be accessible over the net. Only enable what you need and if you open a port on your router to access your NAS from the Internet, make sure you are using a strong username and password. Consider enabling any filtering or auto-blocking features your NAS offers to eliminate brute-force login attempts.

Use a VPN

If your NAS can run a VPN server, you can use this when away from home to access your device securely. When you connect to the VPN, you’ll have access to your local area network (LAN). This means you only have to open up a port on your router for the VPN, greatly reducing the attack surface for your NAS.

Connecting to your NAS via a VPN is one of the best ways you can keep your NAS secure. Check the manufacturer’s website to learn how to set up a VPN on your specific device. Also make sure to check out our selection of best VPN providers as well as our overview of VPN reviews to get an idea of what’s available out there.

Following the guidelines above will increase the security of your setup, and they’re easy steps to implement. Now, we’ll look at some specific features offered in the various Synology and QNAP devices.

Securing a Synology NAS

Synology devices offer users several options to lock down their NAS and enhance security. We’ll start by removing the default account and creating a new one with a secure passphrase.

Create a New User

Step 1. Login to DiskStation Manager and from the main menu click “control panel” then click “users.”

Step 2. Click “create,” then click “create user.”

Step 3. Enter the username and password of your choice, then click “next.”

Step 4. Click the “add” checkbox to add your new user to the “administrators” group, then click “next.”

Step 5. Give the new administrator account access to all folders by ticking the “read/write” box, then click “next.” Click “next” again, unless you want to set a disk quota.

Step 6. Tick the “grant” box to give the new admin account access to applications, then click “next.”

Step 7. Click “next” at the to skip setting a speed limit, then click “apply.”

That’s it, you now have a new administrator and can proceed to disable the old admin account.

Disable the Admin Account

Step 1. Log out of the DSM and then log in with the newly created administrator account.

Step 2. From the main menu, go to “control panel” and click “users.”

Step 3. Click the “admin” account, then click “edit.”

Step 4. Tick the box for “disable this account” and click “ok.”

Now that we have a new administrator account and have disabled the old default account, let’s look at setting up two-step verification.

Two-Step Verification for Synology NAS

This process requires a mobile phone with an authenticator app installed, such as Google Authenticator. Install the app now before you continue. You’ll always need your phone when logging into DSM.

Enabling two-step verification means that an attacker attempting to access your account needs your password as well as your phone, greatly reducing the possibility of compromise.

Step 4. Open the authenticator app on your phone and scan the QR code displayed by the wizard. Click “next.”

Step 5. Enter the code generated by the authenticator app. Codes are updated periodically, so do this quickly before it expires. Click “next.”

Step 6. Click “close” and click “ok” to save your changes.

You’ll now be prompted to enter a verification code every time you log in to the DSM. While it may seem like a hassle at first, it only takes a few seconds and greatly increases the security of your NAS.

Enabling Auto-Block for Synology NAS

Lastly, we’ll enable auto-block. Attackers use automated tools to scan and exploit other computers, and by enabling auto-block we can blacklist the IP address of any attackers after a certain number of failures.

Step 1. From the main menu, click “control panel,” then click “security.”

Step 3. We’ll enter the number five for both “login attempts” and “within (minutes)” here, as this is a safe default.

Step 4. You can tick the box for “enable block expiration” if you want the block to expire after a certain number of days.

Step 5. Click “apply” to save your changes.

You can always edit the block list by going back to this screen and clicking “allow/block list.” Enabling auto-block, two-step authentication and creating a new administrator account are three simple steps towards enhancing the security of your NAS device.

Secure a QNAP NAS

QNAP provides several features built-in that will strengthen the security of your device. Similar to Synology’s auto-block, QNAP offers “network access protection” to block repeated attacks against your NAS. We’ll also use QNAP’s built-in antivirus to keep your NAS clean of any nasty surprises.

Enabling Network Access Protection

You can tick the box for each service that you’ve enabled on your NAS. In general, you should enable network access protection for each service you’ve enabled. Stopping automated attacks is as easy as turning this on.

Conclusion

Securing your NAS is easy, especially with all the features built-in to modern devices. Locking your NAS down is just a matter of keeping basic security principles in mind, changing default passwords and ticking a few boxes.

Sign up for our newsletter to get the latest on new releases and more.

A NAS is a great addition to the home or office, and you don’t have to worry about attackers stealing your data or losing it in a crash. At Cloudwards.net, we’ve covered cloud backup solutions for your NAS to prevent data loss, and now we’ve shown you how to secure your NAS device.

Thank you for reading and, as always, feel free to reach out to us in the comments below.

In the market for new NAS either QNAP or SYNOLOGY. Wondering how well NAS systems interface with products such as Norton CORE router(fairly new). In this ‘day and age’ cyber security is key – especially where the need to view/alter your files and data remotely is a key requirement.
Thanks